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We claim: 

15. A firewall for controlling network data packet 
traffic between internal and external networks comprising: 
filtering means for selecting from a total set of rules, in 

5 dependence of the contents in data fields of a data packet 
being transmitted between said networks a rule applicable 
to said data packet, in order to block said packet or to 
forwarded said packet through the firewall, means for look- 
up in a 2 -dimensional table of source and destination 

10 addresses of the packet in a set of address prefixes, each 
address prefix having a subset of rules of the total set of 
rules, in order to find an address prefix, via its 
representation, associated with said source and destination 
addresses, and rule matching means for rule matching - on 

15 the basis of the contents of said data fields in order to 
find the rule applicable to said data packet. 

16. A firewall according to claim 15, wherein said 
means for look-up in a 2 -dimensional table comprises means 

20 for finding the prefix associated with said source and 

destination addresses by determining the closest dominating 
point p in p under the norm Loo, i.e. the dominating point 
of pi e p of p minimising the Leo-distance between p x and p. 

25 

17. A firewall according to claim 16, wherein the 
source and destination addresses are represented by a point 
(s,d) g U, wherein U is a 2-dimensional address space 
represented by integer pairs (s,d) satisfying: 

30 0 < s < 2 32 , 0 < d < 2 32 , 

the prefixes P = { Pi , P 2 , P n } is a partition of the 
address space U, and 

each prefix P L is a logical rectangle R in the 
address space U defined by [(s 0 ,d 0 ), ( Si,di)], where Si-s 0 = 



Si-2 lE * k s = 2 ls and di-d 0 = di-2 ld * k d = 2 ld for some non 
negative integers i s/ i d/ k g , and k d , 

said logical rectangle R being a subset of U 
satisfying: (s,d) e R if s 0 < s < si, d 0 < d < di, wherein 
5 (s 0 ,d 0 ),( si # di)e U, and the pair of points [(s 0 ,do),( Si,di)] 
uniquely defines said rectangle R. 

18. A firewall according to claim 16, wherein 

for each prefix P = [(s 0 ,d 0 ), (si,di)] e P, the point 
10 po=(s 0 /do) is a representative of P, and p = {p l7 p 2f . . 
wPn} = { (S!,di) , (s 2/ d 2 ) (s n ,d n ) } is the set of 
representatives of the prefixes in P, wherein given a point 
(Sd/da) e U, for each (s,d) e U, wherein s d > s and d d > d, 
(s,d) is dominated by <s d ,d d ) . 

15 

19. A firewall according to claim 11, wherein, given 
a pair of points (s 1 ,d 1 ) , (s 2/ d 2 ) e U, the distance between 
the points under the norm Loo is given by: 

20 limk ->co^l\s x ~s 2 f +\d x ~d 2 \ h = max^ - ^l,^ -rf 2 |) . 

20. A firewall according to claim 15, further 
comprising a fragment machine comprising fragment 

25 collecting means for collecting packet fragments from a 

fragmented packet until a fragment header of said packet is 
received, fragment header storing means for storing in an 
entry means information present in a fragment header field 
of the packet, fragment forwarding means for forwarding 

30 packet fragments provided with fragment header information 
starting with the fragment header, wherein each fragment is 
processed by the filtering means as a regular unfragmented 
packet . 



21. A firewall according to claim 15, further 
comprising network address translation means for 
translating, in dependence of the information in the 
prefix, internal source addresses to external source 

5 addresses of a packet transmitted out through the firewall, 
or external source addresses to internal source addresses 
of a packet transmitted in through the firewall. 

22. A firewall according to claim 15, further 
10 comprising network address translation means for 

translating, in dependence of the information in the prefix 
internal source addresses to external source addresses of a 
packet transmitted from the internal network to the 
external network, or external source addresses to internal 
15 source addresses of a packet transmitted from the external 
network to the internal network. 



23. A firewall according to claim 15, further 
comprising hole punching means for determining, on the 

20 basis of the information in the prefix, if said packet is 
subject to a temporary exception from an external-to- 
internal blocking rule for a connection initiated from the 
internal network, wherein a return channel for packets 
transmitted from the external network to the internal 

25 network is established through the firewall during the 
lifetime of the connection. 



24. A firewall for controlling network data packet 
traffic between internal and external networks, comprising: 

30 filtering means for selecting from a total set of rules, in 
dependence of the contents in data fields of a data packet 
being transmitted between said networks, a rule applicable 
to the data packet, in order to block said packet or to 
forwarded the packet through the firewall; a fragment 

35 machine comprising fragment collecting means for collecting 



packet fragments from a fragmented packet until a fragment 
header of said packet is received, fragment header storing 
means for storing in an entry means information present in 
a fragment header field of the packet, fragment forwarding 
5 means for forwarding packet fragments provided with 
fragment header information starting with the fragment 
header, wherein each fragment is processed by the filtering 
means as a regular unfragmented packet. 

10 25. A method of controlling network data packet 

traffic between internal and external networks through a 
firewall, comprising the steps of, 

selecting from a total set of rules, in dependence 
of the contents in the data fields of a data packet being 

15 transmitted between said networks, a rule applicable to the 
data packet, 

applying said rule on said packet, 
depending on the rule, blocking said packet or 
forwarding said packet through the firewall, 

20 performing a lookup in a 2 -dimensional table of the 

source and destination addresses of the packet in order to 
find a prefix, via its representation, associated with said 
source and destination addresses in a set of address 
prefixes, each prefix having a subset of rules of the total 

25 set of rules, 

and on the basis of the contents of said data fields 
of the packet, performing a rule matching on the subset of 
rules in order to find the rule applicable to the data 
packet . 

30 

26. A method according to claim 25, wherein the step 
of selecting a rule applicable to the data packet it 
comprises the further steps of: 

collecting packet fragments from a fragmented packet 
35 until a fragment header of said packet is received, 



storing in an entry means information present in a 
fragment header field of the packet, and 

forwarding packet fragments provided with fragment 
header information starting with the fragment header, 
5 wherein each fragment is processed by the filtering means 
as a regular unf ragmented packet . 

27. A method according to claim 25, wherein the step 
of performing a rule matching it comprises the further step 

10 of : 

in dependence of the information in the prefix, 
translating the external source address to an internal 
source address of a packet to be transmitted in through the 
firewall . 

15 

28. A method according to claim 25, wherein the step 
of performing a rule matching it comprises the further step 
of: 

depending on the information in the prefix, 
20 translating the external source address to an internal 
source address of a packet to be transmitted from the 
external network to the internal network. 



29. A method according to claim 25, further 
25 comprising the step of : 

depending on the information in the prefix 
translating the internal source address to an external 
source address of a packet to be transmitted out through 
the firewall. 

30 

30. A method according to claim 25, further 
comprising the step of: 

depending on the information in the prefix 
translating the internal source address to an external 



source address of a packet to be transmitted from the 
internal network to the external network. 

31. A method according to claim 25, wherein the step 
5 of performing a rule matching it comprises the further 

steps of: 

based on the information in the prefix, determining 
if said packet is subject to a temporary exception from an 
external-to-internal blocking rule for a connection 
10 initiated from the internal network, 

if so, establishing a return channel for packets 
transmitted from the external network to the internal 
network through the firewall, having a duration 
corresponding to the lifetime of the connection. 

15 

32. A method of controlling network data packet 
traffic between internal and external networks through a 
firewall, comprising the steps of; 

in dependence of the contents in the data fields of a 
20 data packet being transmitted between said networks, 

selecting from a total set of rules a rule applicable to 
the data packet, 

applying said rule on said packet, 

and depending on the rule, blocking said packet or 
25 forwarding said packet through the firewall, 

wherein the step of selecting a rule applicable to 
the data packet comprises the further steps of: 

collecting packet fragments from a fragmented packet 
until a fragment header of said packet is received, 
30 storing in an entry means information present in a 

fragment header field of the packet, and 

forwarding packet fragments provided with fragment 
header information starting with the fragment header, 
wherein each fragment is processed by the filtering means 
35 as a regular unf ragmented packet . 



33. A method according to claim 25, wherein the step 
of performing a 2 -dimensional lookup of the source and 
destination addresses of the packet comprises the further 
5 step of : 

finding the closest dominating point p in p under the 
norm Loo, i.e. the dominating point of pi e p of p, which 
minimises the Loo-distance between p x and p. 

10 34. A method according to claim 33, wherein 

the source and destination addresses are represented 
by a point (s,d) e U, wherein U is a 2 dimensional address 
space represented by integer pairs (s,d) satisfying: 
0 < s < 2 32 , 0 < d < 2 32 , 

15 the set of prefixes P = {Pi, P 2/ ..., P n } is a partition of 

the address space U, 

each prefix is a logical rectangle R in the 
address space U defined by [(s 0 ,d 0 ),( Si,di)], where Si-s 0 = 
Si-2 ls * k s = 2 is and di~d 0 = di-2 ld * k d = 2 ld for some non 

20 negative integers i s ,i d ,k s , and k d , wherein the logical 

rectangle R is a subset of U satisfying: (s,d) e R if s 0 < 
s < si, d 0 < d < d x , wherein (s 0/ d 0 )/( s 1 ,d 1 )e U, and the 
pair of points [(s 0 ,d 0 ),( Si,di)] uniquely defines said 
rectangle R, 

25 for each prefix P = [(s 0 ,d 0 ), (si,di)] e P, the point 

(s 0 , d 0 ) is a representative of P, and p = {pi, p 2 , . - ./Pn} 
= { (s X/ di) , (s 2 ,d 2 ) (sn/d n ) } are the set of representatives 
of the prefixes in P, wherein given a point (s d ,d d ) e U, 
for each (s,d) e U, wherein s d > s and d d > d, (s,d) is 

30 dominated by (s d/ d d ), and 

given a pair of points (si,di) , (s 2 ,d 2 ) e U, the 
distance between the points under the norm Loo is given by: 

lim k -» ooy|^ s 2 f + \d { ~d 2 f = max^ l - s 2 1, \d { - d 2 1) . 



